ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9

Analysis

max time kernel
27s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe
Size

895KB
MD5

70444d7fbd8abd36d455e0eda0abf711
SHA1

b57cfab674e3d7cfa6155763fbd1fa2561921db5
SHA256

ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9
SHA512

a81c2c24b6284557630885c7f8914423ecee61de97f7fe5fd765551131f890a283bd9acd8d257d3aa9c1718d1830ad0e2f866f01020402651c89446f6dcc97fc
SSDEEP

24576:AxqT31T6WE6I5jKqosOm+b5Ak+/cTI3sh3+:P6WE6IN95+b5Al/cTI3sh3+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1892	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1892	1692	ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe	28
PID 1692 wrote to memory of 1892	1692	ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe	28
PID 1692 wrote to memory of 1892	1692	ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe	28
PID 1692 wrote to memory of 1892	1692	ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe	28

C:\Users\Admin\AppData\Local\Temp\ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe
"C:\Users\Admin\AppData\Local\Temp\ba966e0c226f46ceaecfe20d1ac32aaeec2b4b81f09885e167c02e3f769be4c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\s.cmd
  2⤵
  - Deletes itself
  PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.cmd

Filesize
285B

MD5
4f42ddacf87dec2796e1f9cd34c52685

SHA1
647950033a85159e033f798099979f1e7ee023fb

SHA256
1ee7db473d6954af3fe61e35d5057fe413d8149a55c4794cd626a18538f9cf67

SHA512
9bef17c292f943c182f7f335b70075c63d9ba8c66762b276af3079af533de78fb14c285174d5b3b767deaa09a524e3e100a64e54958d8739a27c82d66f3dfe86

Download Submit
memory/1692-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download